Bird
Raised Fist0
Kubernetesdevops~5 mins

Pod security admission controller in Kubernetes - Cheat Sheet & Quick Revision

Choose your learning style10 modes available
LearnWhyDeepVisualTryChallengeProjectRecallTime

Start learning this pattern below

Jump into concepts and practice - no test required

or
Recommended
Test this pattern10 questions across easy, medium, and hard to know if this pattern is strong
Recall & Review
beginner
What is the Pod Security Admission Controller in Kubernetes?
It is a built-in Kubernetes feature that checks pods against security policies before they are allowed to run, helping to enforce security standards.
Click to reveal answer
beginner
Name the three Pod Security Admission Controller policy levels.
The three levels are: Privileged, Baseline, and Restricted. Each level defines different security restrictions for pods.
Click to reveal answer
intermediate
How does the Pod Security Admission Controller enforce policies?
It intercepts pod creation or update requests and checks if the pod's security settings meet the policy. If not, it rejects the request.
Click to reveal answer
intermediate
What is the difference between the Baseline and Restricted policy levels?
Baseline allows common, less risky permissions for pods, while Restricted enforces stricter rules to minimize security risks.
Click to reveal answer
advanced
How can you enable the Pod Security Admission Controller in a Kubernetes cluster?
You enable it by configuring the API server with the --enable-admission-plugins flag including PodSecurity, and setting namespace labels to specify the policy level.
Click to reveal answer
Which Kubernetes feature checks pod security settings before allowing them to run?
APod Scheduler
BNetwork Policy
CConfigMap
DPod Security Admission Controller
What are the three policy levels of Pod Security Admission Controller?
APrivileged, Baseline, Restricted
BOpen, Closed, Custom
CAdmin, User, Guest
DLow, Medium, High
Which policy level allows the most permissions to pods?
APrivileged
BBaseline
CRestricted
DNone
How does the Pod Security Admission Controller reject a pod?
ABy deleting the pod after creation
BBy restarting the pod automatically
CBy blocking the pod creation request if it violates policy
DBy sending an alert but allowing the pod
How do you specify which Pod Security policy applies to a namespace?
ABy editing the pod spec
BBy setting labels on the namespace
CBy configuring the kubelet
DBy changing the node configuration
Explain how the Pod Security Admission Controller helps improve Kubernetes cluster security.
Think about how it acts like a security guard for pods.
You got /4 concepts.
    Describe the differences between the Privileged, Baseline, and Restricted Pod Security policies.
    Compare the level of permissions allowed by each policy.
    You got /4 concepts.

      Practice

      (1/5)
      1. What is the primary purpose of the Pod Security Admission Controller in Kubernetes?
      easy
      A. To monitor pod resource usage
      B. To manage network traffic between pods
      C. To schedule pods on specific nodes
      D. To enforce security policies on pods based on predefined security levels

      Solution

      1. Step 1: Understand the role of Pod Security Admission Controller

        This controller enforces security policies on pods to ensure they meet security standards.

      2. Step 2: Differentiate from other controllers

        It does not manage networking, scheduling, or resource monitoring, which are handled by other components.

      3. Final Answer:

        To enforce security policies on pods based on predefined security levels -> Option D

      4. Quick Check:

        Pod Security Admission = Enforce security policies [OK]
      Hint: Remember: Pod Security Admission controls pod security levels [OK]
      Common Mistakes:
      • Confusing it with network or scheduling controllers
      • Thinking it monitors resource usage
      • Assuming it manages pod lifecycle
      2. Which of the following is the correct way to specify the enforce mode for the Pod Security Admission Controller in a Kubernetes API server configuration?
      easy
      A. --enable-admission-plugins=PodSecurity --pod-security-enforce=audit
      B. --enable-admission-plugins=PodSecurity --pod-security-mode=enforce
      C. --enable-admission-plugins=PodSecurity --pod-security-enforce=restricted
      D. --admission-control=PodSecurity --pod-security-enforce=baseline

      Solution

      1. Step 1: Identify correct flag names for Pod Security Admission

        The correct flags are --enable-admission-plugins=PodSecurity and --pod-security-enforce=LEVEL where LEVEL is one of privileged, baseline, or restricted.

      2. Step 2: Verify option syntax and values

        --enable-admission-plugins=PodSecurity --pod-security-enforce=restricted: --enable-admission-plugins=PodSecurity --pod-security-enforce=restricted uses correct flag names and a valid security level 'restricted'. Options A uses invalid level, B uses incorrect flag --pod-security-mode, and C uses deprecated --admission-control.

      3. Final Answer:

        --enable-admission-plugins=PodSecurity --pod-security-enforce=restricted -> Option C

      4. Quick Check:

        Correct flags + valid level = --enable-admission-plugins=PodSecurity --pod-security-enforce=restricted [OK]
      Hint: Look for exact flag names and valid security levels [OK]
      Common Mistakes:
      • Using wrong flag names like --admission-control
      • Confusing enforce mode with audit or warn
      • Using invalid security levels
      3. Given this Pod Security Admission configuration snippet:
      apiVersion: policy/v1
kind: PodSecurity
metadata:
  name: enforce-baseline
spec:
  enforce:
    level: baseline
    version: "latest"
  warn:
    level: restricted
    version: "latest"
  audit:
    level: privileged
    version: "latest"

      What will happen if a pod with privileged permissions is created?
      medium
      A. The pod creation will be blocked due to enforcement at baseline level
      B. The pod creation will succeed but a warning will be logged
      C. The pod creation will succeed without any warnings or audits
      D. The pod creation will be audited but allowed

      Solution

      1. Step 1: Understand enforcement level

        The enforce level is set to baseline, which blocks pods that do not meet baseline security standards, including privileged pods.

      2. Step 2: Analyze pod permissions against levels

        Privileged pods exceed baseline restrictions, so enforcement blocks creation. Warnings and audits apply to lower levels but enforcement is strictest.

      3. Final Answer:

        The pod creation will be blocked due to enforcement at baseline level -> Option A

      4. Quick Check:

        Enforce baseline blocks privileged pods [OK]
      Hint: Enforce blocks pods below level; privileged > baseline [OK]
      Common Mistakes:
      • Confusing warn or audit with enforce
      • Assuming privileged pods pass baseline enforcement
      • Ignoring enforcement priority over warnings
      4. You configured the Pod Security Admission Controller with --pod-security-enforce=restricted, but pods with privileged containers are still being created. What is the most likely cause?
      medium
      A. The pods are created in namespaces labeled to exempt enforcement
      B. The admission controller is not enabled in the API server
      C. The pod spec has incorrect securityContext fields
      D. The Kubernetes version does not support Pod Security Admission Controller

      Solution

      1. Step 1: Check admission controller enablement

        If the controller was not enabled, no enforcement would occur cluster-wide, but the question implies partial enforcement.

      2. Step 2: Understand namespace labels impact

        Namespaces can be labeled to exempt or relax enforcement, allowing privileged pods despite cluster-wide settings.

      3. Step 3: Consider other options

        Incorrect pod specs or Kubernetes version issues would cause errors or no enforcement at all, not selective allowance.

      4. Final Answer:

        The pods are created in namespaces labeled to exempt enforcement -> Option A

      5. Quick Check:

        Namespace labels can exempt enforcement [OK]
      Hint: Check namespace labels for enforcement exemptions [OK]
      Common Mistakes:
      • Assuming controller is disabled without checking labels
      • Ignoring namespace-level exemptions
      • Blaming pod spec errors for enforcement bypass
      5. You want to enforce the Pod Security Admission Controller to block all pods that request hostPath volumes except in a specific namespace called trusted. How should you configure this?
      hard
      A. Set cluster-wide enforcement to restricted and label the trusted namespace with pod-security.kubernetes.io/enforce: baseline
      B. Set cluster-wide enforcement to restricted and label the trusted namespace with pod-security.kubernetes.io/enforce: privileged
      C. Set cluster-wide enforcement to baseline and label the trusted namespace with pod-security.kubernetes.io/enforce: baseline
      D. Set cluster-wide enforcement to privileged and label the trusted namespace with pod-security.kubernetes.io/enforce: restricted

      Solution

      1. Step 1: Understand security levels and hostPath restrictions

        The restricted level blocks hostPath volumes, while privileged allows them.

      2. Step 2: Apply cluster-wide enforcement and namespace override

        Set cluster-wide enforcement to restricted to block hostPath everywhere by default. Label the trusted namespace with pod-security.kubernetes.io/enforce: privileged to allow exceptions.

      3. Step 3: Verify option correctness

        Set cluster-wide enforcement to restricted and label the trusted namespace with pod-security.kubernetes.io/enforce: privileged correctly sets cluster-wide to restricted and trusted namespace to privileged, allowing hostPath only there.

      4. Final Answer:

        Set cluster-wide enforcement to restricted and label the trusted namespace with pod-security.kubernetes.io/enforce: privileged -> Option B

      5. Quick Check:

        Cluster restricted + trusted privileged = hostPath allowed only in trusted [OK]
      Hint: Cluster restrict + namespace privileged allows exceptions [OK]
      Common Mistakes:
      • Setting cluster enforcement too low to block hostPath
      • Using baseline instead of privileged for exceptions
      • Labeling trusted namespace with a stricter level